The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is alerting health care entities to a phishing email that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels. This email appears to be an official government communication, and targets employees of HIPAA covered entities and their business associates.

According to OCR, the email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link directs individuals to a non-governmental website marketing a firm’s cybersecurity services.

In their alert, OCR makes clear that in no way is the firm referred to in the letter associated with the U.S. Department of Health and Human Services or the Office for Civil Rights. OCR takes the unauthorized use of this material by this firm very seriously.

In the event that you or your organization has a question as to whether it has received an official communication from our agency regarding a HIPAA audit, please contact OCR via email at OSOCRAudit@hhs.gov.